Make WordPress Core

Opened 3 years ago

Last modified 9 months ago

#21938 new enhancement

Add "no-store" to Cache-Control header to prevent history caching of admin resources

Reported by: soulseekah Owned by:
Milestone: Awaiting Review Priority: normal
Severity: trivial Version: 3.4
Component: Administration Keywords: has-patch
Focuses: Cc:


The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.

RFC 2616 14.9.2 no-store describes this cache directive.

To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.

By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).

Attachments (1)

21938.patch (509 bytes) - added by soulseekah 3 years ago.
"no-store" please

Download all attachments as: .zip

Change History (9)

@soulseekah3 years ago

"no-store" please

comment:1 @kovshenin3 years ago

  • Cc kovshenin added

comment:2 @ocean903 years ago

  • Cc ocean90 added

comment:3 follow-up: @toscho3 years ago

  • Cc info@… added
Version 0, edited 3 years ago by toscho (next)

comment:4 in reply to: ↑ 3 @soulseekah3 years ago

Replying to toscho:

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.

Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.

comment:5 @nacin3 years ago

The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?

comment:6 @SergeyBiryukov3 years ago

  • Version changed from trunk to 3.4

comment:8 @nevma9 months ago

It seems that Firefox actually needs the no-store as well, in order to not cache a page. Otherwise, it serves it from the BFCache. The no-store should be added to the wp_get_nocache_headers function in the Cache-Control header. This is what the MDN documentation in Using Firefox Caching mentions, too.

Note: See TracTickets for help on using tickets.